Advanced Threat Mitigations via SSL Intercept

SSL offload has been around for quite some time. But this technology was primarily developed for the web farm audience, offloading SSL traffic from the application servers and putting the load on app...
Published Feb 23, 2016
Version 1.0
AFM
dcsecurity16
fireeye
security
ssl
TMOS
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jul 27, 2017

the mechanics are simple, insert/replace of each valid Public-Key-Pinning header is supposed to clear out the old entries and set it to the values in the latest response. See section 2.3.1 of the RFC.

 

that said, hpkp is complex and can brick a domain, so tread lightly and -report-only with much validation before pulling the trigger!